Full Disclosure mailing list archives

Re: the world of botnets article and wrong numbers

From: "Toby McKay" <mcktoby () gmail com>
Date: Thu, 14 Sep 2006 16:59:55 +0300

On 9/14/06, Gadi Evron <ge () linuxbox org> wrote:


> hi guys
> i ask gadi on the botnets listserv on where he got the number 12K for
> bots every month on his the world of botnets article [
> http://www.beyondsecurity.com/whitepapers/SolomonEvronSept06.pdf

You did..

> ] .. he gave no real answer.
> does that number sound right to anybody? where did you come up with it
> gadi?

First, the link I prefer people use is the one on my blog at securiteam,
as it holds the copyright notice for Virus Bulletin, under which I was
allowed to host the article:
http://blogs.securiteam.com/index.php/archives/593

Numbers...
I can't speak for others, but I can try to answer better than I did on the
botnets mailing list on whitestar.

On individual honey nets, even rather large ones, the number of unique
samples often assembled can be somewhere between 200 and 800
a month.. depending on how wide it is spread and the networks it sits
on. Which is why many of us cooperate.

>From cumulative honey nets monitoring of such smaller (yet very
effective) nets, and some larger nets, we get to a number of about 15K new
bot samples every month (Alan Solomon and myself wrote 12K, so we
underplayed it a bit due to statistics being a bit shaky). So the real avg
number is somewhere around 15K new unique samples a month.

Further, the anti virus world sees about the same numbers.

The Microsoft anti malware team (and Ziv Mador specifically) spoke of 15K
avg bot samples a month, as well.

I don't know what others may be seeing, but this is our best estimate as
to what's going on with the number of unique samples released every month.

Jose Nazarijo from Arbor replied on the botnets list that he sees similar
numbers.

I hope this helps... what are you looking to hear?

        Gadi.



can you show samples for a month? can you show them as being real or in you
rmind?


> ./mcktoby

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

the world of botnets article and wrong numbers Toby McKay (Sep 14)
- Re: the world of botnets article and wrong numbers 3APA3A (Sep 14)
  - Re: the world of botnets article and wrong numbers Toby McKay (Sep 14)
- <Possible follow-ups>
- Re: the world of botnets article and wrong numbers Gadi Evron (Sep 14)
  - Re: the world of botnets article and wrong numbers Toby McKay (Sep 14)
  - Re: the world of botnets article and wrong numbers Dave "No, not that one" Korn (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Gadi Evron (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Dude VanWinkle (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Gadi Evron (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Peter Dawson (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Richard Golodner (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Dude VanWinkle (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Georgi Guninski (Sep 15)
    - Re: [botnets] the world of botnets article and wrong numbers Jose Nazario (Sep 14)
    - Re: [botnets] the world of botnets article and wrong numbers Dude VanWinkle (Sep 14)